Managing admin panel users

During the primary node deployment, the unique Default domain is created along with the default user account and project:

  • The default administrator account is created with the unique Superuser permission. The user name for this account is admin and the password is specified during the primary node deployment. This account cannot be deleted or disabled and its permissions cannot be changed. Other than that, admin does not differ from a user who is assigned the System administrator role.
  • The default admin project is a bootstrap project for initializing the compute cloud. It cannot be deleted or renamed.

The Default domain with system users and projects is used by the system for different services. System entities are marked with the System tag and cannot be modified or deleted.

Due to security concerns, you might want to create other system administrators with different permissions to manage the infrastructure. For example, you can create system administrators that are able to monitor the cluster performance and parameters, but cannot change any settings.

Other users such as domain administrators and project members have access only to the self-service panel and are required to provision multitenant compute resources.

Limitations

  • System administrators can be created only within the Default domain.

To create a system administrator

Admin panel

  1. On the Settings > Projects and users screen, click the Default domain.
  2. Go to the Domain users tab, and then click Create user.
  3. In the Create user window, specify the user name, password, and, if required, a user email address and description. The user name must be unique within a domain.

    A description should not contain any personally identifiable information or sensitive business data.

  4. Select the System administrator role.
  5. Select the permissions to be granted to the user account from the System permission set section:

    • Full (System administrator): has all permissions and can perform all management operations, including creating projects and managing other users.
    • Compute: can create and manage the compute cluster.
    • ISCSI: can create and manage iSCSI targets, LUNs, and CHAP users.
    • S3: can create and manage the S3 cluster.
    • ABGW: can create and manage the Backup Gateway cluster.
    • NFS: can create and manage NFS shares and exports.
    • Cluster: can create the storage cluster, join nodes to it, and manage (assign and release) disks.
    • Network: can modify networks and traffic types.
    • Update: can install updates.
    • SSH: can add and remove SSH keys for cluster nodes access.

    The view permission is always enabled.

  6. Enable the full Domain permissions set to allow the user to manage virtual objects in all projects within the Default domain and other users in the self-service panel.

  7. Enable Image uploading to allow the user to upload images.

  8. Click Create.

Command-line interface

Use the following command:

vinfra domain user create [--email <email>] [--description <description>]
                          [--system-permissions <system_permissions>]
                          [--enable | --disable] --domain <domain> <name>
--email <email>
User email
--description <description>

User description

A description should not contain any personally identifiable information or sensitive business data.

--system-permissions <system_permissions>
A comma-separated list of system permissions. View the list of available system permissions using vinfra domain user list-available-roles | grep system.
--enable
Enable user
--disable
Disable user
--domain <domain>
Domain name or ID
<name>
User name

For example, to create a system administrator account called mysysadmin within the domain Default, to manage the compute cluster, run:

# vinfra domain user create mysysadmin --domain Default --system-permissions compute

Specify the user password when prompted.

The created system administrator will appear in the vinfra domain user list output:

# vinfra domain user list --domain Default
+----------------------------------+-----------------------+-------+---------+-------------+--------------------+-------------------+
| id                               | name                  | email | enabled | description | domain_permissions | assigned_projects |
+----------------------------------+-----------------------+-------+---------+-------------+--------------------+-------------------+
| 1d207818a205433fabb85d68ff8bd45a | nova                  |       | True    |             | []                 | []                |
| 1eb4cd6272d84d0a824877a8afe16269 | heat                  |       | True    |             | []                 | []                |
| 4ae74e324e7241139e1357c9ce65f0b1 | backup-service-user   |       | False   |             | []                 | []                |
| 4e7db09ec1794aff92cbac0a70159478 | gnocchi               |       | True    |             | []                 | []                |
| 8d54115532ee421a8551ab32910998ad | octavia               |       | True    |             | []                 | []                |
| 8fd6757e10494c399cd8445dd8c83c87 | barbican              |       | True    |             | []                 | []                |
| 9e462afe59a742049970bdbb902569d1 | neutron               |       | True    |             | []                 | []                |
| a2c7eda0ea5a45749d0af7742ace85b0 | glance                |       | True    |             | []                 | []                |
| a91aa030575c474f9753abda3bf7afa0 | cinder                |       | True    |             | []                 | []                |
| c727a901a6444ee1a8ad31e3d5b53b3a | admin                 |       | True    |             | []                 | []                |
| ca92d0b41f354a6882f24e0eb101b4ea | vstorage-service-user |       | True    |             | []                 | []                |
| e03bf89a89ef4a018dbf5aae107beed8 | mysysadmin            |       | True    |             | []                 | []                |
| ed4b3f0b6e61470ba0b79662671679f6 | ceilometer            |       | True    |             | []                 | []                |
| f62f123df20c4b388fefebf058fb185c | placement             |       | True    |             | []                 | []                |
+----------------------------------+-----------------------+-------+---------+-------------+--------------------+-------------------+

To change the password

Admin panel

  1. In the top right corner of the admin panel, click the user icon, and then click Change password.
  2. In the Change password window, enter the current password and enter a new password twice.
  3. Click Save.

Command-line interface

  • For the default administrator account, use the following command:

    vinfra cluster user change-password

    When prompted, enter the current and a new password, and then repeat the new password for confirmation.

  • For other accounts, us the following command:

    vinfra domain user set [--password] --domain <domain> <user>
    
    --password
    Request the password from stdin
    --domain <domain>
    Domain name or ID
    <user>
    User ID or name

    For example, to change the password for the system administrator mysysadmin, run:

    # vinfra domain user set mysysadmin --domain Default --password

    When prompted, enter a new password, which will replace the old one.